Strengthening the weakest link:Business Continuity Management for

SMEs

Dr. L. Marinos, ENISA

Essen, 5 October 2010

SME working assumption

• SMEs are generated out of entrepreneurship and have low level of resources for “non-productive” investments

• Most of SMUs (esp. owners) have low level of BC knowledge• SMEs are not in the position to fully develop BCP• Even in case that there is some IT-knowledge, availability is

usually not part of it • SMEs tend to use standard components (soft- and hardware)

What is Business Continuity?

• Business Continuity is the ability to continue the business in an (for the customer) acceptable.

• For SMEs needs to be:

• Low cost

• Simple

• Practical

• Affordable on the long term

Business Continuity (Full version)

Deliver BCP

Sustain BCM Programme

Maintain and Review BCP

Develop Awareness

Train Staff

Test BCP

Write Test Plan

Determine Type of Test

Conduct Test

Deliver Debrief/Test Report

Define BCM Framework

Initiate BCM Programme

Assign BCM and Incident Responsibilities

Define BCM Policy

Identify the Organisation

Assess Risks and Impacts

Analyze Results

Prioritize Recovery Define Critical Resource

Requirements

Conduct Business Impact Analysis

Determine Recov. Options

Agree Recovery Strategy

Design BCP

Design BCM Approach

Business Resumption Plan

IT Service Continuity Plan

Communications and Media Plan

Recovery Support Plan

Business Recovery Plan

Incident Management Plan

Incident Response Plan

Interface to other operational and product processes

AdaptedRisk ManagementActivities

Short term

Middle term

Long term

Recurrence

Problems with BC (..as other sec issues)

• Too complicated• Not business oriented• Too focused on technical assets• Too much concentration on threats• Too reliant on estimates of “probability”• Threat and vulnerability assessments too technical• Unrealistic targets• No clear action plan• TOO SLOW!

Source: Jeremy Ward

Business Continuity „Light“

• Low expertise in the area of BC

• Simply structured

• Balance between simplicity and effectiveness

• Understandable relations between used terminology

• Good basis for knowledge transfer

ENISA-Approach

Business Continuity Plan

Phase 1

Select Risk Profile

Phase 2

Critical Assets Identification

Asset Control CardsAsset Control

CardsAsset Based Continuity Controls

Org. Control CardsOrg. Control Cards

Org. Control CardsOrganizational Continuity Controls

Phase 4

Implementation and

Management

Phase 3

Controls Selection

Controls Implementation Plan

http://www.enisa.europa.eu/act/rm/risk-management-for-smes-and-micro-enterprises

In Conclusion

• We see tendencies for simpler approaches

• Become business oriented (no technical, threat etc.)

• Promote through professional associations

• Develop corresponding certification schemes

• Promote generation of a relevant “market”

Thank you for your attention

louis.marinos@enisa.europa.eu

ENISA Risk Management Web Pages: www.enisa.europa.eu/rmra